Abstract
Traditionally signature-based network Intrusion Detection Systems (IDS) rely on inputs from domain experts and can only identify the attacks if they occur as individual event. IDS generate large number of alerts and it becomes very difficult for human users to go through each message. Previous researches have proposed analytics based approaches to analyze IDS alert patterns based on anomaly detection models, multi-steps models or probabilistic approaches. However, due to the complexities of network intrusions, it is impossible to develop all possible attack patterns or to avoid false positives. With the advance in technologies and popularity of networks in our daily life, it is becoming more and more difficult to detect network intrusions. However, no matter how rapid the technologies change, the human behaviors behind the cyber attacks stay relatively constant. This provides us an opportunity to develop an improved system to detect the unusual cyber attacks. In this paper, we developed four network intrusion models based on consideration of human factors. We then tested these models on ITOC Cyber Defense Competition (CDX) 2009 data. Our results are encouraging. These Models are not only able to recognize most network attacks identified by SNORT log alerts, they are also able to distinguish the non-attack network traffic that was potentially missed by SNORT as indicated by ground truth validation of the data.
Similar content being viewed by others
References
Anwar, F., Anwar, Z., et al. (2011). Digital forensics for eucalyptus. In Frontiers of Information Technology (FIT), 2011 (pp. 110–116). IEEE.
Cheung, S., Lindqvist, U., Fong, M.W. (2003). Modeling multistep cyber attacks for scenario recognition. In DARPA information survivability conference and exposition, 2003. Proceedings (vol. 1, pp. 284–292). IEEE.
Cuppens, F., & Miège, A. (2002). Alert correlation in a cooperative intrusion detection framework. In 2002 IEEE symposium on security and privacy, 2002. Proceedings (pp. 202–215). IEEE.
Denning, D.E. (1987). An intrusion-detection model. IEEE Transactions on Software Engineering, SE-13(2), 222–232.
Dey, S., Janeja, V.P., Gangopadhyay, A. (2009). Temporal neighborhood discovery through unequal depth binning. In IEEE International Conference on Data Mining (ICDM’09).
Dodge Jr, R.C., & Wilson, T. (2003). Network traffic analysis from the cyber defense exercise. In IEEE international conference on systems, man and cybernetics, 2003 (vol. 5, pp. 4317–4321). IEEE.
Fanelli, R. (2010). The value of competition. SC Magazine.
Kim, S.J., & Hong, S. (2011). Study on the development of early warning model for cyber attack. In 2011 International Conference on Information Science and Applications (ICISA) (pp. 1–8). IEEE.
Liu, Z., Wang, C., Chen, S. (2008). Correlating multi-step attack and constructing attack scenarios based on attack pattern modeling. In International conference on information security and assurance, 2008. ISA 2008 (pp. 214–219). IEEE.
Miles, W. (2001). Hack proofing sun solaris 8—protect your solaris network from attack (1st ed., pp. 83–85, 257). New York: Syngress.
Namayanja, J.M., & Janeja, V.P. (2013). Discovery of persistent threat structures through temporal and geo-spatial characterization in evolving networks. In IEEE Intelligence and Security Informatics (ISI).
Nguyen, H.D., Gutta, S., Cheng, Q. (2010). An active distributed approach for cyber attack detection. In 2010 conference record of the forty fourth asilomar conference on signals, systems and computers (ASILOMAR) (pp. 1540–1544). IEEE.
Ning, P., Cui, Y., Reeves, D.S., Xu, D. (2004). Techniques and tools for analyzing intrusion alerts. ACM Transactions on Information and System Security (TISSEC), 7(2), 274–318.
Orebaugh, A.D., Biles, S., Babbin, J. (2005). Snort cookbook. O’Reilly Media, Inc.
Rehman, R.U. (2003). Intrusion detection systems with Snort: Advanced IDS techniques using Snort, Apache, MySQL, PHP, and ACID. Prentice Hall PTR.
Roesch, M., & Green, C. (2003). Snort users manual 2.9.3. (pp. 1–2, 179–180).
Sangster, B., O’Connor, T.J., Cook, T., Fanelli, R., Dean, E., Adams, W.J., Morrell, C., Conti, G. (2009). Toward instrumenting network warfare competitions to generate labeled datasets. In Proceedings of the 2nd conference on cyber security experimentation and test (pp. 9–9). USENIX Association.
Snort (software) (2013). Wikipedia.com ID: 551979534.
Valdes, A., & Skinner, K. (2001). Probabilistic alert correlation. In Recent advances in intrusion detection (pp. 54–68). Springer.
Youssef, A., & Emam, A. (2012). Network intrusion detection using data mining and network behaviour analysis. International Journal of Computer Science & Information Technology, 3.6, 87–98.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Chen, S., Janeja, V.P. Human perspective to anomaly detection for cybersecurity. J Intell Inf Syst 42, 133–153 (2014). https://doi.org/10.1007/s10844-013-0266-3
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10844-013-0266-3